Embed Size (px)
Citation preview
GDPR & The Future of Payroll: What you need to know about consent, emailing payslips, and your legal obligation
In this guide, we will specifically look at the impact of GDPR on your payroll processing and highlight the biggest areas of concern.
We will walk through some important steps to achieve GDPR compliance.
The General Data Protection Regulation (GDPR) is the latest regulation to rock the payroll and accounting industry. Getting compliance right will be a cause for concern for payroll bureaus who manage and process their client’s payroll data. The concept of GDPR will involve an update to the current regulation which will replace the Data Protection Act 1998. It will require businesses to protect the personal data and privacy of EU citizens for transactions that occur within the EU. The new regulation will apply to every company including sole traders who process the personal data of individuals operating in the EU.
The GDPR DeadlineThe GDPR deadline is the 25th May 2018 and will protect individuals data in an increasingly data driven world. The 25th May is not a start date but rather a deadline for companies to prepare and become compliant by.
An Introduction
25MAY
What does GDPR mean for your payroll processing?• How GDPR affects your payroll processing• GDPR preparation • Outsourcing your payroll • Proof of compliance• Protecting payroll data
Payslips & GDPR Compliance• Employee consent• Emailing payslips • Recommended self-service access
Breaching GDPR• Data breach plan of action• Non-compliance and penalties
How is BrightPay Preparing?• BrightPay Connect - online self-service portal• Enhanced security measures
In this guide, we will specifically look at the impact of GDPR on your payroll processing and highlight the biggest areas of concern.
We will walk you through some important steps to achieve GDPR compliance by examining the following topics:
Businesses process large amounts of personal data, not least in relation to their customers and their own employees. Consequently, the GDPR will affect most if not all areas of the business and the impact cannot be overstated. All businesses are required to make sure that their data will be processed securely and responsibly under GDPR.
Given technological advancements and recent cyber attacks, an updated security process is definitely required by businesses to protect the personal data that they manage. GDPR is not a new concept, it is simply a data protection process that is being upgraded to protect all individuals. GDPR will see an overhaul of the Data Protection Act and the way we currently process, manage and store individual’s personal data.
Businesses are legally obliged to protect payroll information on behalf of their employees where they must:
• Only collect information they need for the specific purpose of completing the payroll.
• Keep employee payroll information safe and secure.
• Ensure employee’s data is relevant and up-to-date for the purpose of processing the payroll.
• Only hold information they need and for as long as they need it to manage the payroll.
• Allow their employees to view their personal information that is kept upon request.
1 What does GDPR mean for your payroll processing?
How GDPR affects your payroll processing?Employers must provide employees and any job applicants with a privacy notice setting out certain details about how their information is managed. Employees will have greater rights to be informed about how long their information will be stored and how it will be used. Employees can request access to the personal information that is held on them where they can request to have it rectified and in some cases where there are no compelling reasons to retain the data, they can request for it to be deleted. Employees now have the right to increased transparency to ensure their data is being managed correctly under the GDPR legislation.
There is a lot of information to digest and understand around the topic of GDPR. To prepare, it would be beneficial to take advantage of the payroll software providers who are running free training sessions that are easily accessible online. Businesses should fully understand the concept of GDPR and the impact it will have on both their business and their employees.
There are three basic sets of rules relating to individual’s payroll and personal data, as outlined on the following page. ?
Understanding GDPRData Management
Payroll and personal data must be processed lawfully, fairly and in a transparent manner. For businesses, employee data must be collected for the legitimate purpose of completing the payroll on behalf of their employees. All employee data must be kept up-to-date and accurate and should only be used for the purpose gathered. Businesses must ensure that employee data, including payroll information, is protected and adequately secured against loss, damage, unlawful access and cyber attacks.
Transferring Data Internationally
Under GDPR, it is prohibited to send your employee’s data outside the European Economic Area unless that country provides an adequate level of protection for the rights of individual’s personal data. Transferring your employee’s data outside of the EU requires extra caution and must meet the specific criteria as set out in the GDPR regulations.
Data Processing
Where a business processes their payroll in-house, they are known as data controllers and data processors. Where a business outsources their payroll to an accountant or payroll bureau, the bureau is the data processor and you, as the business, are the data controller. The payroll data processor can lawfully process data on behalf of your business as long as there is a written contract between you and the outsourcing provider.
The contract represents a legal obligation for the payroll processor to have access to the data in order to complete the payroll. Data processors must only process data as per the written instruction of their client, hence it is of the utmost importance that a comprehensive contract is in place.
Additionally, the GDPR legislation sets out further requirements regarding what must be included in the contract between a payroll processor and their client. These include, but are not limited to, confirmation of security, confidentiality and details of any sub-processor used. Businesses who need further assistance in relation to these new terms would be well advised to speak to their accountant or payroll bureau for further details.
All businesses will need to review and update their current data protection policies. Any updated policies should be clearly communicated to all employees. Check with current software providers, data processors and contractors to see what they are doing to comply with the GDPR legislation. You will likely need to update or amend certain contracts you have with your third party contractors or vendors.
Businesses need to make sure they are prepared in advance of the May deadline. The GDPR legislation makes every business responsible for any third parties (accountant/payroll bureaus) who process personal data on their behalf. Under the terms of GDPR, payroll processors will need to manage and store their client’s information in a more secure environment. It will also be important to keep a record of how you are storing this information and for what purpose should you ever be audited or reported.
GDPR Preparation
Outsourcing Your PayrollThe GDPR stipulates that a contract must exist between a data controller (business) and a data processor (accountant or payroll bureau). The actual onus is on data controllers to put contracts in place. If you process your payroll in-house, you are the data controller and the data processor and no contract is required. If the payroll is outsourced and the accountant or payroll bureau is audited, they may need to provide certain information to prove their GDPR compliance such as:
Agreed Contract
There needs to be a written contract or letter of engagement in place between data controllers and data processors that covers GDPR. This contract would outline that employee’s personal data will be provided to the data processor to process the payroll for the business. This does not mean a business can simply hand over their employee’s personal data to a data processor and then cast a blind eye. The business must ensure the data processor is also compliant with the GDPR.
Fulfilling the Contract
To fulfil the contract, data processors will hold certain business information, such as the employer PAYE reference number and their bank account details, which is all legitimately viable under GDPR. Data processors will need to hold this personal information in order to fulfil the agreed contract of processing their client’s payroll.
Legitimate Reason
Every business needs to have a legitimate reason as to why they hold an individual’s personal details. Data controllers and processors can hold employee payroll information to complete the payroll, such as employee PPS numbers, tax codes, dates of birth and employee salaries. Under the GDPR legislation, this is classified as a valid and legitimate reason to hold this kind of personal payroll information.
Businesses should keep a record of how they are securely protecting the data that they process and manage. Where a business outsources their payroll to a data processor, they should still ensure that their employee’s data is securely maintained and adequately protected by the third party under the rules of GDPR. Should your business be subject to an audit or a GDPR breach, you will need to show evidence that demonstrates you have taken the appropriate actions to protect personal data held by your organisation and any third party organisations.
Proof of Compliance
Businesses should password protect computers or devices that hold personal payroll data, for example the PC that they access the payroll software on. The payroll software application itself should also be password protected should anyone else ever access your computer. It is advisable to password protect your employee payslips that you may email to employees each pay period. Your payroll software supplier should provide a password protection feature for employee payslips. Businesses will need to provide detailed information on how long the personal data will be stored for. According to guidelines, you should keep payroll records and payslips for up to 6 years from the end of the tax year they relate to.
Protecting Payroll Data
You must provide employees with information on what happens to their data, for example sharing employee’s personal data with a third party who processes the payroll on your behalf. Employee personal data can be stored and managed by a payroll bureau, bookkeeper or accountant for the sole benefit of correctly paying their wages, paying the correct tax and providing a payslip. All of this legitimately falls under the remit of the GDPR legislation. By law, employers must provide employees with payslips which include personal data such as proof of earnings, tax paid and any pension contributions. It is advisable that businesses take steps to protect and securely send this payslip information.
£
Payslips and GDPR Compliance2
Many employers have expressed concern and confusion in relation to getting consent from employees to use their data to correctly pay them and securely send them a payslip. Employers do not need to seek consent from individual employees, as you are legally obliged to pay your staff. If the payroll is outsourced to a data processor, the employer will need to inform their employees that they are sharing their personal information with a third party. An employer does not need to seek employee consent to outsource the payroll. It is also an employers responsibility to ensure that their data processor is taking action to protect their employees’ payroll information under GDPR.
An employee cannot withdraw their consent for their personal data to be used as part of the payroll processing. It should be noted that data processors should keep only the personal data that is strictly required for the purpose of processing the payroll. This is referred to as data minimisation or privacy by default.
Employee ConsentThere is nothing in the GDPR legislation that states it is no longer permissible to post payslips. Payroll data processors who post payslips will need to ensure that all appropriate security measures are in place to protect the payslip. For example, you may use security payslip envelopes, marking the envelope as ‘Private and Confidential’ and ensuring that it is addressed to a specific person. In some cases, you may decide to use registered post.
Posting Payslips
Emailing PayslipsThere is nothing in the GDPR legislation that states it is no longer permissible to email payslips. However, data processors should take steps to securely protect each employee’s payslip. When emailing payslips, you should ensure that all payslips are password protected with a password that is uniquely chosen by the employee. The payslip should be sent directly to the employee’s chosen email address.
Where a generic and identical password is used for all employees, this could be considered a breach of GDPR. In this scenario, the controller and data processor could be seen as not taking sufficient steps to offer the most secure environment to protect employee’s personal pay information.
Furthermore, your payroll provider should provide secure encryption on all payslips and automatically delete payslips that are being sent from their server. Check with your provider to be certain that they are offering this level of protection. If not, you should look for another payroll provider or data processor who will. For maximum security, it is recommended (but not mandatory) to offer a secure self-service portal to securely send and store payslips and other sensitive payroll documents. @
Recommended Self-Service AccessThe GDPR legislation includes a best practice recommendation for businesses to provide individuals with a secure self-service platform offering remote access to information held. On a self-service system, employees can remotely access payroll information including payslips, contact details, and employee documents such as contracts of employment and company handbooks. Employees can also request leave and view their annual leave entitlements including leave taken and leave remaining, which are also considered personal data.
According to the GDPR legislation:
“A data subject should have the right of access to personal
data which have been collected concerning him or her. Where possible, the controller should
be able to provide remote access to a secure system which would provide the data subject with direct access to his or her
personal data.”
(Recital 63)
The employee self-service portal should be password protected for every employee. Again, identical or a generic password must not be used for all employees. Each employee’s password should be unique, chosen by the employee and confidential, offering maximum protection. Accessing payslips and personal contact details through a remote access secure system will provide flexibility and full transparency for employees to retrieve and update their information at any time.
A self-service portal offers significant benefits for data controllers and data processors to comply with the GDPR legislation. Remote access will provide you and employees with direct access to their payroll information anywhere, anytime. You can login 24/7 to view all employees’ payslips, leave requests, HR documents, amounts due to Revenue and other payroll reports.
Employers also benefit as they can now automate the distribution of payslips. A self-service portal that is directly integrated with the payroll will allow for payslips to be automatically available as soon as the payroll is finalised. This offers additional security against cyber attacks and eliminates email hacks that could occur when sending and receiving payslips or payroll reports by email. Additionally, a self-service option allows businesses to keep their data updated and accurate as employees can edit their contact information.
Recommended Self-Service Access
Businesses must issue notifications of valid data breaches to the local supervisory authority within 72 hours of becoming aware of them. Failing to report a breach can result in an investigation and/or penalties. Individuals also have the option to file a class action lawsuit if a business does not comply with GDPR. The legislation applies to every business large and small in Ireland - there will be no exceptions for small businesses.
There is a mandatory breach reporting requirement, where employers must report certain types of breaches to the data protection authority. A personal breach occurs where a businesses security systems have been compromised leading to the ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.
A business must determine the level of the breach’s severity and the risk it could present to an individuals rights and freedoms. If it is considered a risk then you must notify the Office of the Data Protection Commissioner (DPC). If there is no risk then you do not have to report it. However, businesses who do not report a breach should keep a record and be able to justify their reasoning behind their decision not to report it and document those reasons.
3 Breaching GDPR
Data Breach Plan of Action
Non-Compliance & Penalties
Make sure you have suitable procedures in place to notify the regulator where breaches have been reported and identified. Inform all staff of the correct procedure to follow should a breach occur. Check with your IT team or staff to ensure your computer systems allow for your employees to securely delete and manage personal data in line with the GDPR legislation.
Data Breach Plan of Action
!
The office of the DPC will take non-compliance very seriously with significant fines and penalties in place for businesses who breach the GDPR legislation. Fines will be incurred of €20 million or 4% of a businesses turnover, whichever is the greater amount. The level of the fine being imposed will depend on the type of breach that the business has committed. The fines are designed to punish any business that willfully ignores their GDPR obligations after the May deadline. However, fines can be mitigated against if there is evidence that shows that a business has prepared and worked towards GDPR compliance.
4 How BrightPay Connect can helpUnder the GDPR legislation, where possible the controller should be able to provide self-service remote access to a secure system which would provide the data subject with direct access to his or her personal data. BrightPay Connect is a self-service option which will give you and your employees online remote access to view and manage your payroll data 24/7.
BrightPay Connect is tailored to help you overcome the challenge that GDPR presents. Furthermore, the cloud functionality will improve your payroll processing with simple email distribution, keep employee records up- to- date, safe document upload, easy leave management and keep a secure backup of your payroll records.
Online synchronisation and automated backup of payroll data will maintain accuracy and improve efficiency of your data. By introducing a self-service option, you will begin a new way of remotely accessing information and you will be taking steps to be GDPR ready benefiting from enhanced cloud efficiencies.
The option of BrightPay Connect will keep your employee payroll data secure and offer your employees the added reassurance that you are taking action to become GDPR ready.
The advantages of a cloud backup and self-service software are numerous, but mainly it significantly increases the efficiency and effectiveness of payroll work. Workflow is increased since employers are no longer wasting time on manual data processing and therefore are working quicker and more efficiently within the remit of the GDPR guidelines.
BrightPay Connect is an online payroll and HR software solution that has been developed to help our customers become GDPR ready. It removes the manual data entry requirement for annual leave management, updating employees details, re-sending payslips, backing up your data and HR processing.
Simplify your GDPR compliance with BrightPay Connect
Employer Dashboard:
Instant access to payroll information with the online self-service employer dashboard. Both you and your accountant can have remote and secure access to employee payslips, payroll reports, amounts due to Revenue, annual leave requests and employee contact details.
Employee Self-Service Portal
Invite employees to their own self-service online portal. This secure system would provide employees with direct access to his or her personal data. Employees can securely view and download payslips, P60s and P45s and easily submit holiday requests, view leave taken and leave remaining.
Here are the Biggest GDPR Advantages of BrightPay Connect:
Integration with Payroll
BrightPay Connect is fully integrated with BrightPay’s payroll software ensuring the payroll data is correct at all times. The employee’s leave calendar, changes to employee contact details, employee payslips and payroll reports are all automatically updated and synchronised between both the payroll software and BrightPay Connect.
Cloud Backup
Under GDPR, it is important to keep a copy of payroll files safe in case of fire, theft, damaged computers or cyber attacks. BrightPay Connect is powered using the latest web technologies and hosted on Microsoft Azure for ultimate performance, reliability and scalability. BrightPay Connect maintains a chronological history of all backups which can be restored or downloaded any time, keeping your payroll records protected.
24/7 Online Access
BrightPay Connect allows password protected mobile and online access to your payroll data anytime and anywhere. This fulfils the recommendation to provide remote access to a secure system where your employees would have direct access to their personal data.
HR & Annual Leave Management
Employers can view all upcoming leave in the BrightPay Connect company wide calendar where they can easily authorise leave requests with changes automatically flowing back to the payroll. You can upload sensitive HR documents such as employee contracts keeping confidential information restricted to each individual employee.
Reduce HR Queries
BrightPay Connect makes it possible to drastically reduce the number of HR queries you deal with such as access to view personal data, payslip requests, annual leave requests, managing employee contact information and employee payroll records.
Book a BrightPay Connect Demo
Cloud advancements enables an interactive collaborative experience for employers, your employees and your accountant. BrightPay Connect speeds up and transforms the accountant / employer relationship from a document exchange or transactional relationship to an instant access one. Book a demo today to see just how BrightPay Connect can help towards GDPR compliance.
GDPR Advantages of BrightPay Connect
5 How BrightPay is PreparingBrightPay is a desktop application that sits on your computer - we do not have access to your data files, except where they have been submitted for support reasons.
We have no control over the authority, the quality or safety of the data input. You and you alone are responsible for the accuracy and completeness of your payroll records.
Whilst we have security measures in place to protect your data, it will remain your responsibility to keep your sign in details confidential and to close down BrightPay products on your PC when they are not being used. To protect your information, you will need to ensure there is no unauthorised access to your computer and that your BrightPay application is password protected.
BrightPay are committed to continually helping our customers comply with any legislation changes. Therefore, we have made many changes that will help you with GDPR compliance. Below are some of the key changes made that will affect our customers.
Customer Support
When assisting with customer support queries, we may request a backup of an employer file to fully resolve the customer query. We have put in place additional security protocols to make this process even more secure. We have created an in-program support feature that allows users to automatically send a backup of their payroll to us through a secure channel. This enhanced feature means you don’t have to upload the backup to your email where you may forget to delete it.
On BrightPay’s side, the backup never gets saved on the support assistant’s PC or email account. As part of GDPR compliance, we must have the ability to securely delete any unnecessary data we hold. The customer backups received are all saved centrally on a secure server which are automatically deleted after one week. Additionally, there is increased encryption of the payroll data files for added security and protection.
Online Support
We have added a range of support pages on our website including:
• Frequently Asked Questions
• GDPR and BrightPay
How is BrightPay Preparing?
Privacy Policy
We are in the final stages of updating our privacy policies which will be going live on our websites shortly. The new privacy policy clarifies to individuals whose data we process detailing:
• How we use your data
• Who we share it with
• How long we keep it
We have worked hard so that this updated policy is detailed, yet simple and easy to understand.
IT Audits
Over the last year, we have completed internal IT audits on all our company PC’s, securely deleting any unnecessary files and data. Going forward, we will conduct regular audits to keep track of our GDPR compliance and ensure we are not retaining any unnecessary data.
Secure Servers
We have looked at how information is sent to and retrieved from our secure servers, be it for the purposes of maintaining our websites or our CRM system. We have now changed all of our servers over to more secure Microsoft Azure servers. We have also introduced IP whitelisting, meaning that knowing the login credentials is not enough, the request must come from a trusted location.
How is BrightPay Preparing?
Additional Consent
We have introduced additional consent fields on different areas of our software and websites. These consent forms are explicitly asking for consent to sign up to our newsletter which contain information about webinar events, special offers, legislation changes, other group products and payroll related news. We have an automated facility that allows users to unsubscribe from our emails at any time. With the exception of essential software updates, customers will not be contacted unless they have specifically opted in to our mailing list.
Staff Training & Awareness
Internally, we have run a number of training sessions with our staff to ensure everyone understands the implications of the GDPR legislation. Going forward, we will continue to hold in-house training and update sessions to ensure our staff are fully aware of the new legislation and how it impacts their role.
Password Protect Payroll Files
BrightPay provides users with a facility to password protect your BrightPay software application, export payroll reports and payslips that are sent directly through to employees. Taking the option to password protect these payroll documents is a step that you can take towards adding more security and protection to the data you manage, store and distribute.
How is BrightPay Preparing?
BrightPay Connect - Self Service Portal
Our cloud add-on, BrightPay Connect offers a self-service remote access facility to automatically add payslips, payroll reports and employee annual leave information to the employer dashboard and send payslips to the employee portal. BrightPay Connect additionally offers a secure, automated and user-friendly way to backup and restore your payroll data on your PC to and from the cloud.
Employers can access all employees payslips, payroll reports and employee leave including annual leave, unpaid leave, sick leave and parenting leave. Employees can browse and download historic payslips and other payroll documents such as their contract of employment. A self-service remote access facility is recommended but not mandatory.
Bright Contracts
If you are using our sister product, Bright Contracts, we are finalising the Data Protection and Privacy Policies within the software and will update all customers when they are live.
How is BrightPay Preparing?
